Items such as the Reserved Ioun Stone and Ring of Spell Storing state that:
The spell uses the slot level, spell save DC, spell attack bonus, and spellcasting ability of the original caster, but is otherwise treated as if you cast the spell.
There is no mention of not needing components, which suggests that components are needed twice for these items: once to cast the spell into it and again when casting a spell from them.
Is this correct?
I have seen from many different sources the thought process that you can have your Alchemical Homunculus or your Steel Defender use your spell storing item. This would let them take up concentration for an additional spell.
However the more I look into it the less I think you can. I wanted to get clarification from you folks.
Spell Storing item:
While holding the object, a creature can take an action to produce the spell’s effect from it, using your spellcasting ability modifier. If the spell requires concentration, the creature must concentrate.
In combat, the homunculus shares your initiative count, but it takes its turn immediately after yours. It can move and use its reaction on its own, but the only action it takes on its turn is the Dodge action, unless you take a bonus action on your turn to command it to take the action in its stat block or the Dash, Disengage, Help, Hide, or Search action.
In combat, the steel defender shares your initiative count, but it takes its turn immediately after yours. It can move and use its reaction on its own, but the only action it takes on its turn is the Dodge action, unless you take a bonus action on your turn to command it to take one of the actions in its stat block or the Dash, Disengage, Help, Hide, or Search action.
I added emphasis on only. This completely negates the ability to use the Spell Storing Item in combat doesn’t it?
Can a flock of Pegasii summoned mounts Reincarnate any humanoid with a (properly loaded) Ring of Spell Storing?
The points below are not really new per se but rather a cumulative-inductive discovery of StackExchange rulings. This is listed below:
A familiar &/or summoned mount can cast any spell from a Ring of Spell Storing.
A Ring of Spell Storing stores up to five spell-levels – thus fifth lvl max. (hence this includes Reincarnation)
The casting / catching of spells (specifically ‘Reincarnate’ in this case) does not seem to require components. Thus the 1000 gold worth of rare unguents is neither needed to ‘charge’ the ring, nor cast-use it.
Correct use of various summoning spells + Ring o’ SpellStore® allows each familiar &/or steed to have one (1) familiar + one (1) steed each, hence: Menagerie Ad nauseum.
Thus it seems that any character with previous access-planning to the right summoning and necromatic spells could have a flight of a few thousand loyal Pegasii striving to Reincarnate them (should they die).
If so: this seems impressive &/or surprising.
I am at the moment using Bitwarden and a separate 2FA app.
I am trying to figure out a way to be able to securely recover my access to credentials and 2FA in case my phone/laptop/other electronic devices get stolen or destroyed and am not sure if what I am doing is good enough.
The app I am using for 2FA allows for encrypted backups with a password. I use Bitwarden to manage my passwords and it also requires a 2FA code from the app.
Now I have a backup of the 2FA app on Bitwarden, where the master passwords for both are long and different (consisting of letters only). I modified the 2FA recovery code for Bitwarden (so that only I know how to read it) and store it on a piece of paper in my wallet and some other places.
My plan is if all goes wrong to gain access to Bitwarden through the recovery code and then download and restore the backup of the 2FA app, in order to regain access to the other places.
Do you think that is secure enough?
Why is it a bad idea to encrypt password/salt hash with RSA (or maybe other public-key algorithm) before storing it?
I have read here, that instead of using pepper, it is better to encrypt hashed/salted passwords before storing in the database. Especially with Java, as there’s no library for salt/pepper, but just for salt hashing, and I’m not going to implement my own crypto in any way. Have questions about it:
- Is it true? Will it add security, if db server is on the another physical computer, and encryption keys are sored on the app server’s fs?
- If so, is it ok to use RSA for hash encryption?
- To check password in this case, is it better to read encrypted password from the DB, decrypt it, and then compare it to the hashed/salted one entered by user, or encrypt entered hashed/salted password and then compare with the encrypted value in the database? In this case, will it be the same as using another hash, as encrypted hash is never decrypted?
Need a solution to secure manage the access to the master password of a password management tool- last pass, that we would soon be rolling out requirment is 2 people in XY country and 2 people in AB Country (for business continuity) will need to participate in the process of accessing the master/ super admin password Which Physical vault would be the better option for storing and monitoring the Master Password securely?
I was reading this question and still have doubts about my use case.
I know it’s unsafe to store a JWT in local/session storage due to XSS attacks. But what if it’s for a JWT that only lasts 1 min when they first login? The client would then use this to get a longer + safer JWT to stay logged in from then on.
I’m using a third party identity provider to handle the initial login. The reason I have to do this is because their API that returns the JWT doesn’t support httpOnly (for whatever reason). I still have to store the JWT temporarily somewhere before I get a new one in an httpOnly cookie from the server. Or should I store it in state (I’m using React)?
Is this approach safe? My reasoning is that even if they do get the JWT, it would only last 1 minute before it expires.
- User enters credentials on login page. Identity provider returns a 1 min long JWT to the client.
- Client stores JWT in local storage.
- Client calls GET /getJWT with the JWT in step 2 in the payload.
- Server validates the JWT. It issues a new JWT that lasts 15 min. Server sends a response with the JWT in an httpOnly cookie.
So I just got acquainted with the existence of Rings of spell storing.
I was wondering: If I had Beacon of Hope and Sanctuary stored in it, could I use the ring to cast both spells on the same turn? Or would it count as 2 actions instead of 1 action and 1 bonus action?
I have a large database where passwords are stored as
strtolower(hex(md5(pass))) (which is a bad way to store passwords, prone to rainbow tables, cheap to dictionary attack, no salt, etc), and I’m tasked with switching from md5 to bcrypt,
I have to use a bcrypt implementation that silently truncates after 72 bytes, and silently truncates on the first null byte (whichever comes first), and
bcrypt(strtolower(hex(md5(pass)))) would not be prone to either of those issues.
Also it’s possible to retroactively apply bcrypt to existing
strtolower(hex(md5(pass))) password hashes, without requiring everyone to re-login/switch passwords.
Is it a bad idea? I don’t think so, but still want to hear what security.SE has to say. Maybe there is something important I’m missing.